what's the difference between the two below when you are getting data from a form

$_POST['username'];

$_REQUEST['username'];

$_POST is just the data sent by the post method from the form. $_REQUEST aggregates get, post and cookie. See http://us2.php.net/manual/en/language.variables.predefined.php .

$_REQUEST is a combination of $_POST, $_GET and $_COOKIE. That means if you also have a cookie named 'username' as well as a POST variable the dominant variable will overwrite the recessive one.

K cool, so which one should i use to just get data from a form

Post

I always use "Request". That way I can change the form to get or store form values in cookies.

I always use "Request". That way I can change the form to get or store form values in cookies.Sounds like bad coding practice to me.

Sounds like bad coding practice to me.To you, which is why you don't do it. To me it sounds like good coding practice which is why I do.

To me it sounds like good coding practice which is why I do.Charles, in another thread you were recommending: extract($_REQUEST); These sort of coding practices return us to the days before register globals was disabled by default. Personally I want to keep track of where external variables are coming from rather than allowing users to inject variables into my script from unexpected locations. The chances are this variable will be abandoned in a future version or disabled by default.

By the way why would you need to convert a form between GET and POST; a request is either idempotent or it is not.

I agree with Bokeh, This is bad coding practice. Using Request is leaving the door open for injection.

Using the Request super-global over the Post super-global does make your script more susceptible to CSRF attacks. Yes POST requests can be emulated via javascript, though GET requests (the inclusion of a supposed image is a great example) are much more common.

I'll own that I erred when I posted that example extracting the $_REQUEST SG. However:

Consider the case of a nice idempotent form, perhaps it does some site navigation or preference setting, and it's a perfect candidate for a GET request. But for what ever reason you prefer to use POST with the form. Perhaps you kinda like the URLs simplified. But you also want, on occasion, to communicate with the form with a link.

And further, let's say you want to save one or more of those features in a cookie and use that value unless overridden by the form.

$_REQUEST is, in those cases, just what the doctor ordered.

Perhaps you kinda like the URLs simplified.That's not a valid reason to use a POST request although the concept is fair enough.But for what ever reason you prefer to use POST with the form.Sometimes I do use POST for idempotent requests for the opposite reason. I don't want people to be able to link to my output without having used the form. I have to use $_POST in these cases though otherwise I woudn't know from where the input had arrived.

Exactly. $_REQUEST is just another tool in your chest. Sometimes it's just the right tool for the job and sometimes it's not.